How do I allow users to authenticate to an Amazon RDS for MySQL DB instance through their IAM credentials?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Prerequisite: You must launch a DB instance that supports IAM database authentication and an Amazon Elastic Compute Cloud (Amazon EC2) instance to connect to the database.

To use IAM credentials to connect to your DB instance, complete the following steps:

1. Activate IAM database authentication.
2. To connect to either your RDS or Amazon AuroraDB instance endpoint or Aurora cluster endpoint, run the following command:

   mysql -h Endpoint -P Port_number -u DB_username -p Password

   Note: Replace Endpoint with your DB or cluster endpoint. Replace Port_number with the port number that your database listens on. Replace DB_username with your primary username. Replace Password with your primary password to log in.
3. Create a database user account that uses IAM authentication instead of a password, and then modify the user account to support SSL connections.
4. Create a policy to give access to your IAM user to the the RDS DB instance or cluster.
   Example policy:

   {
       "Version": "2012-10-17",                   
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "rds-db:connect"
               ],
               "Resource": [
                   "arn:aws:rds-db:us-east-2:111122223333:dbuser:db-ABCDEFGHIJKL01234/db_user"
               ]
           }
       ]
   }

   Note: Replace arn:aws:rds-db:us-east-2:111122223333:dbuser:db-ABCDEFGHIJKL01234/db_user with the Amazon Resource Name (ARN) of your DB instance or cluster.
5. Create an IAM role that supports Amazon RDS, and then configure the following settings:
6. For Service or use case, choose EC2.
7. For Permissions policies, select the policy that you created.
8. Attach the IAM role to the EC2 instance.
9. Connect to your EC2 instance.
10. Use an AWS SDK for .NET to generate a token. Or, run the following generate-db-auth-token AWS CLI command to generate an IAM authentication token:

    aws rds generate-db-auth-token --hostname Endpoint --port Port_number --username DB_username

    Note: Replace Endpoint with your DB or cluster endpoint, Port_number with the port number that your database listens on, and DB_username with your database username. The IAM authentication token is valid for 15 minutes.
11. Download an SSL root certificate bundle for all AWS Regions.
12. Use the IAM role credentials and the IAM authentication token to connect to the RDS DB instance. Run the following command to use SSL to connect to the DB instance:

    RDSHOST="rdsmysql.123456789012.us-west-2.rds.amazonaws.com"
    TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port Port_number --region us-west-2 --username DB_username)"      
    mysql --host=$RDSHOST --port=port number --ssl-ca=/sample_dir/global-bundle.pem --enable-cleartext-plugin --user=db username --password=$TOKEN

    Note: Replace rdsmysql.123456789012.us-west-2.rds.amazonaws.com with the hostname of the DB instance that you want to access. Replace Port_number with the port number that your database listens on. Replace us-west-2 with the AWS Region of the database that you want to access. Replace DB_username with the database account that you want to access. Replace sample_dir with the full path to the SSL certificate file that contains the public key. If you use a MariaDB client, then don't include the --enable-cleartext-plugin option.

Related information

IAM database authentication for MariaDB, MySQL, and PostgreSQL

What are the least privileges required for a user to perform creates, deletes, modifications, backup, and recovery for an Amazon RDS DB instance?

AWSSupport-TroubleshootRDSIAMAuthentication